Computer wont start, apple support claims I need to supply filevault recovery password. Is this correct?

[mango_feldman]

The computer wouldnt turn on so I turned it in to support. They have gotten my user password, but claims they need a filevault specific password. I assume they mean the recover key.
I have no recollection of writing that down.

Is it really true that they can't recover the data using my user password? I don't quite get how that can be the case. It is my understanding that my password can unlock the underlying key and this prosess happening on every boot/unlock.

 

[StellarVixen]

The computer wouldnt turn on so I turned it in to support. They have gotten my user password, but claims they need a filevault specific password. I assume they mean the recover key.
I have no recollection of writing that down.

Is it really true that they can't recover the data using my user password? I don't quite get how that can be the case. It is my understanding that my password can unlock the underlying key and this prosess happening on every boot/unlock.

If you locked down your drive with FileVault, there is nothing that can be done without the password, you need the password.

I have no recollection of writing that down.

That is unfortunate. Do you maybe know if you stored it in the iCloud?

 

[mango_feldman]

Thanks for the reply

> If you locked down your drive with FileVault

What does this mean? I have not done any explicit "locking". The computer suddenly refused ro boot.

To be clear: I have my user account/admin password.

 

[StellarVixen]

Thanks for the reply

> If you locked down your drive with FileVault

What does this mean? I have not done any explicit "locking". The computer suddenly refused ro boot.

To be clear: I have my user account/admin password.

but claims they need a filevault specific password.

This right here, they clearly said your system volume has been encrypted using FileVault. Why would they be asking for this specific password otherwise?

 

[mango_feldman]

Yes, I understand that encryption is turned on, but I've never been required to use any other password than my user password before, so surely that is sufficient to decrypt the disk under normal circumstances.

What I'm wondering is what special circumstance would require the recovery key as opposed to the user-password - or if my support contact simply is incompetent.

I can easily imagine that the *standard* procedure to unlock the disk when some software-bug prevents a normal boot to run is using the recovery key/underlying password (since this is one layer closer to the disk), but I'm not convinced this is the *only* way. Unless there's something about how filevault works that I'm unaware of.

 

[Brian33]

Here's my understanding (which I don't claim is complete): Filevault-enabled volumes have the concept of associated "cryptoUsers." When you enable filevault, it offers to add the Mac user account(s) on your system to the list of the volume's cryptoUsers. It saves the Mac account user's password, too. There may optionally be an associated Personal Recovery Key (PRK) and/or an Institutional Recovery Key (IRK).

Thereafter, in every situation I'm aware of, one can unlock the volume with either of the recovery keys (if they exist), or with the combination of a crpytoUser name and password (which will be the same name and password used to log into macOS). See 'man diskutil'.

What I'm wondering is what special circumstance would require the recovery key as opposed to the user-password - or if my support contact simply is incompetent.

I can easily imagine that the *standard* procedure to unlock the disk when some software-bug prevents a normal boot to run is using the recovery key/underlying password (since this is one layer closer to the disk), but I'm not convinced this is the *only* way.

I think your speculation is quite plausible, though I suppose there might be situations where ONLY the PRK/IRK would work.

Does the machine boot to Recovery Mode ok? If so, I think the filevault-protected volume could be unlocked with diskutil apfs unlockVolume <volumeDevice> -user <yourUserid> and be prompted for your normal user password. My reading of the 'diskutil' man page makes me think they could instead be specify -user disk (literally the characters "disk" instead of a username) to be prompted for the PRK. Maybe that's what their troubleshooting script says to do, and they don't realize there's another option...

Here are some commands for anyone (with admin access) to play around with:

See if there's a PRK defined: sudo fdesetup haspersonalrecoverykey

List the cryptousers: sudo fdesetup list -extended

Another way to see the list of cryptousers: diskutil apfs listCryptoUsers <volumeDevice-or-mount-point>

Unlock an encrypted volume: diskutil apfs unlockVolume <volumeDevice> -user <yourUserid>

See all the gory details:
man fdesetup
man diskutil (A LOT of doc here -- search for "apfsVerb" and read the sections following)

 

[mango_feldman]

> Does the machine boot to Recovery Mode ok?

No, the screen is black when booting (external monitor does not work either)

I asked support for clarification, and they say the only way to access the disk is using specialized apple-support tools, but no satisfactory explanation of why the recovery key[1] is required.

They also confirmed that the password-attemps was not exhausted (Found out this can happen yesterday - which I see can be a good thing, but also scary that someone could exhaust these on purpose to mess up the computer)

[1] They call it "filevault password", which is also a bit disconcerting, since this is not an exact term AFAICS.

 

[Brian33]

they say the only way to access the disk is using specialized apple-support tools

Interesting. I wonder what they've got. I'm still skeptical that they couldn't use the volume cryptouser name/password to unlock the volume. I'm quite sure that (APFS) encrypted volumes are not required to have a PRK or IRK. If that's true, it only makes sense that any special tools should be designed to accept a valid "cryptoUser", since there'd be no other way to unlock the volume. However, I certainly don't understand all the possible scenarios, and we have no idea what is wrong with the machine itself. It seems the only thing you can do is accept what they say. I suppose you could take the Mac to another repair shop to get a second opinion.

They call it "filevault password", which is also a bit disconcerting, since this is not an exact term AFAICS

Yeah, I don't think I've seen that term used in the Apple documentation. I suppose they mean the Personal Recovery Key.


I realize now I've been making a big assumption: that you have a relatively recent Mac and therefore running a recent version of macOS -- one that requires the boot disk to be APFS format. If in fact your boot disk is JHFS+ formatted (AKA "macOS extended, journaled"), Filevault uses the "CoreStorage" system for encryption, and may have a different setup to allow users to unlock the volume during boot. I don't recall how it works with CoreStorage (i.e., HFS+ volumes)...

I'm curious what model Mac it is, and what version of macOS was running?

 

[MacCheetah3]

Maybe helpful:

Protect data on your Mac with FileVault

Turn on FileVault to add an extra layer of security to the encrypted data on your Mac.

support.apple.com

 

[kitKAC]

> Does the machine boot to Recovery Mode ok?

No, the screen is black when booting (external monitor does not work either)

I asked support for clarification, and they say the only way to access the disk is using specialized apple-support tools, but no satisfactory explanation of why the recovery key[1] is required.

They also confirmed that the password-attemps was not exhausted (Found out this can happen yesterday - which I see can be a good thing, but also scary that someone could exhaust these on purpose to mess up the computer)

[1] They call it "filevault password", which is also a bit disconcerting, since this is not an exact term AFAICS.

Your login password (FileVault password) unlocks the disk. If that doesn’t work for some reason, then you can use the Recovery Key (which you either write down or save in iCloud). You choose one option or the other, if you don’t remember writing down the key then you probably used the save in iCloud option. That means you need to use your iCloud creds to unlock the disk with.

It’d would be very difficult to exhaust the password attempts as there is an ever increasing delay between each attempt and you can still bypass those by using the recovery key (To reset your login password).

 

[NoBoMac]

Filevault uses the "CoreStorage" system for encryption, and may have a different setup to allow users to unlock the volume during boot. I don't recall how it works with CoreStorage (i.e., HFS+ volumes)...

CoreStorage FileVault is similar to APFS. It boils down to does the Mac have a T2/M chip or basic Intel. If T/M, it stores the encryption keys in Secure Enclave. Plain Intel, encrypted plist in the recovery partition.

It’d would be very difficult to exhaust the password attempts as there is an ever increasing delay between each attempt and you can still bypass those by using the recovery key (To reset your login password).

I'm not sure if there is a limit on plain Intel, but T/M, as mentioned, Secure Enclave in play and acts more like an iOS device (delays, wipes). Though the way plain Intel acts when a password is mistyped, there appears to be a delay to slow down brute-force, just might not be as onerous as Secure Enclave when 10 is reached (actually 30 to exhaust all options).

Passcodes and passwords

Learn about passcodes (in iOS and iPadOS) and passwords (in macOS).

support.apple.com